Blog Stats

Meta

Archive for May, 2011

Sometimes you have no choice but to approach malware infestations manually, even when running an AV program. Generally speaking, AV relies on malware definitions to detect threats and, if your definitions are not up-to-date, you can get hit by a Trojan, virus, or worm. Even with up-to-date definitions, you are still open to attack by the latest threats for which signatures do not yet exist. When this happens, you need to manually discover the threat and remove it. Such was the case in an earlier blog.

In the example here, one of our users was infected during a “drive by” while browsing the Internet. Our enterprise anti-virus failed to detect the threat and manual AV scans of the system failed to remove it since there was no definition for it yet. This is one of several variants of fake anti-virus (Scareware) from the Braviax suite, XP Internet Security 2011, which presents various security window pop-ups and a fake scan:Read the rest of this entry »

In Windows XP, if you have Dr Watson set as your post-mortem default debugger (by default it is) it usually does a good job at catching exceptions when the Windows print spooler, spoolersv.exe, crashes*. Most print spooler crashes are the result of a print driver. Finding the problem print driver is a simple matter of going into the drwtsn32.log and finding the thread that contains the FAULT, literally:
A user.dmp is also created in the DrWatson folder. This dump file offers more details and confirms it is a print driver but requires the Windows Debugging Tools to analyze. Resort to the user.dmp if the log is not revealing enough: Read the rest of this entry »

Every now and then I use Word 2010 to blog. I recently ran into an issue where I could no longer post to my SharePoint blog at work from my workstation and the error was rather generic, not alluding to anything: “Word cannot publish this post. The provider where you are trying to publish is unavailable…”
This was odd because previously blogs posted normally. Additionally, I was able to post to my Word Press blog on the Internet and a different internal blog. To see what was happening, I turned to Process Monitor and set a filter for winword.exe. There was nothing unusual with the file and registry activity. However, network activity stood out:Read the rest of this entry »